Syndicate
DSR with route-to, OSPF and OpenBSD
Assumes you have OSPF already running on your network and one or more public IPs which you want to serve content from.
- Setup loop-back interface with public IP
echo inet <Public-IP> 255.255.255.255 > /etc/hostname.lo1 - Advertise public IP via OSPF
/etc/ospfd.conf:
advertise connected
area 0.0.0.0 {
...
interface lo1
...
} - Add route-to rules to pf.conf:
pass in quick on $EXT_IF route-to ($LAN_IF $SERVER_IP) proto tcp from any to $PUBLIC_IP port $DEST_PORTS - Create dummy interface on webserver (/etc/network/interfaces for Debian/Ubuntu):
auto dumm0
iface dummy0 inet static
address $PUBLIC_IP
netmask 255.255.255.255 - Restart everything (networking, pf and ospfd on OpenBSD, networking on webserver).
This could be extended to a load balancer by modifying the pf rule with:
{ ($LAN_IF $SERVER1_IP), ($LAN_IF $SERVER2_IP) } round-robin
It should be noted that this wont check the health of your servers, and I haven't put any thought into how to do this yet.
At work we're using the system to provide a public IP to a cluster of servers deep within our private network. The servers use a redundant pair of OpenBSD routers as their default gateway (which uses CARP to float the default gateway IP). By using OSPF to advertise the public IP to the network (and ultimately the border router), we don't need to use CARP for this address, wasting a further IP on that subnet per router.
We've only had this in use from today, so I have no idea how it'll really perform.
(DSR = Direct Server Response - server replies can go via their default gateway, without having to necessarily go back via the original router or load balancer).
Add new comment